Re: Two ports... two networks... won't route

Typically I come across two issues with this. Intrazone Blocking or a missing policy. I don't see intrazone blocking enabled for trust, so that's good. And I do see a policy for trust to trust. That would indicate a possible NAT or Routing issue. I would recommend a debug

set ff src-ip 10.20.1.x dst ip 10.18.76.x ip-proto 1

debug flow basic

clear db

<ping from 10.20.1.x to 10.18.76.x>

undebug all

get db str

If needed, flip the flow filter and run it again. Feel free to share the results.

John

John JudgeJNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.

Re: Two ports... two networks... won't route

The ping from the firewall is going to be sourced from the firewall's interface, which is on the same subnet as the host.

Most default rules for host firewalls allow pings/traffic from the local subnet, but not from other subnets.

Furthermore, something as simple as a bad default gateway or subnet mask configuration could cause similar problems. The firewall pinging the host happens at layer 2. The other host pinging the target host requires layer 3.